GDPR and CCPA are the two most influential data privacy laws in the world. Both give individuals rights over their personal data and impose obligations on businesses that collect it. But they differ significantly in scope, approach, and who must comply. This guide explains the key differences and what they mean for freelancers and small businesses.
What is GDPR?
The General Data Protection Regulation (GDPR) came into force in the EU in May 2018 and was retained in UK law as "UK GDPR" after Brexit. It is a comprehensive data protection framework that applies to any organisation that processes the personal data of EU or UK residents — regardless of where the organisation is based.
Key characteristics of GDPR:
- Opt-in by default: You need a lawful basis to process personal data. Consent must be freely given, specific, informed, and unambiguous.
- Broad territorial scope: Applies to any business targeting EU/UK residents, not just EU/UK-based businesses.
- Comprehensive rights: Access, correction, deletion, portability, restriction, and objection rights.
- Significant penalties: Up to €20 million or 4% of global annual turnover (whichever is greater) for serious violations.
- Accountability principle: Organisations must demonstrate compliance, not just claim it.
What is CCPA/CPRA?
The California Consumer Privacy Act (CCPA), as significantly amended by the California Privacy Rights Act (CPRA), gives California residents rights over their personal information. Unlike GDPR, it applies only to for-profit businesses and has revenue and data volume thresholds before it kicks in.
CCPA/CPRA applies to for-profit businesses that:
- Have annual gross revenues over $25 million, OR
- Buy, sell, receive, or share the personal information of 100,000 or more California consumers or households per year, OR
- Derive 50% or more of annual revenues from selling consumers' personal information
Most freelancers and small businesses don't meet these thresholds. However, even if CCPA doesn't technically apply to you, including CCPA-style disclosures in your privacy policy (and avoiding selling user data) is good practice and builds user trust.
GDPR vs CCPA: The Key Differences
Opt-in vs Opt-out
This is the most fundamental difference. GDPR is an opt-in system: you need a lawful basis to process data, and for many types of processing you need affirmative consent before beginning. CCPA is opt-out: businesses can collect and use data by default, but must give consumers the right to opt out of the sale or sharing of their personal information.
Who Must Comply
GDPR applies to any organisation processing EU/UK residents' data — regardless of size. UK GDPR specifically: no revenue thresholds. CCPA applies only to qualifying for-profit California businesses meeting the thresholds above. Small businesses often skip CCPA compliance entirely for this reason.
Definition of Personal Data/Information
Both laws define personal data broadly, but GDPR's definition is slightly broader. GDPR covers any information relating to an identified or identifiable natural person. CCPA covers information that identifies, relates to, or could reasonably be linked with a consumer or household. Practically, both cover names, email addresses, IP addresses, cookies, location data, and browsing history.
User Rights Compared
- Right to know/access: Both GDPR and CCPA
- Right to delete: Both (with different exceptions)
- Right to portability: GDPR only
- Right to correct: Both (CPRA added correction rights)
- Right to restrict processing: GDPR only
- Right to opt out of data sales: CCPA only (GDPR uses a broader objection right)
- Right to non-discrimination: CCPA explicitly; GDPR implicitly
What Small Businesses and Freelancers Need to Do
If you have a website accessible to UK or EU users, GDPR (UK GDPR) applies to you. Minimum requirements:
- Have a privacy policy that covers all the required GDPR elements
- Obtain consent before setting non-essential cookies
- Have a lawful basis for each type of data processing
- Respond to data subject access requests within 30 days
- Have a process for deleting data on request
If you don't meet the CCPA thresholds, you don't need formal CCPA compliance. But including a "Do Not Sell or Share My Personal Information" note in your privacy policy is inexpensive and covers your bases.
Generate a GDPR and CCPA-Compliant Privacy Policy
Create a comprehensive privacy policy covering both laws — free.
Generate Privacy Policy →Frequently Asked Questions
What is the key difference between GDPR and CCPA?
GDPR is opt-in: you cannot process personal data without a lawful basis, and consent must be obtained before many data uses. CCPA is opt-out: businesses can collect data by default, but must give consumers the right to opt out of the sale of their data. GDPR is generally stricter and broader in scope.
Does GDPR apply to US businesses?
Yes, if your website targets or serves EU or UK residents. GDPR applies based on the location of the data subjects, not the location of the business. A US-based freelancer with UK or EU visitors must comply with GDPR with respect to those visitors' data.
Does CCPA apply to small businesses?
CCPA applies to for-profit businesses meeting at least one of three thresholds: annual gross revenue over $25 million; processing data of 100,000+ consumers per year; or deriving 50%+ of revenue from selling personal information. Most freelancers and small businesses do not meet these thresholds.
What rights do users have under GDPR vs CCPA?
Under GDPR: access, correction, deletion, restriction, portability, and objection rights. Under CCPA: right to know, delete, opt out of data sales, and non-discrimination. GDPR rights are broader and more comprehensive.
If I comply with GDPR, am I also CCPA compliant?
Largely yes — GDPR compliance puts you in a strong position for CCPA because GDPR is more demanding. However, CCPA has specific requirements around the "Do Not Sell or Share" right and opt-out signals that require specific attention for businesses targeting California consumers.